The forecast for cloud security should read “sunny and clear” but enterprises looking to adopt cloud-based IT and communications services continue to deal with uncertainty about whether the services they receive and, more importantly, any of their content is truly secure. They certainly recognize all the other business benefits of cloud based services (including but not limited to access to services and information wherever you are, business continuity in the event of a disaster, opex vs. capex and others) but balk at signing on until they are comfortable that the services are secure. This provides a great opportunity for service providers to differentiate themselves from others in the area of cloud security using a combination of technology, messaging and most importantly education about cloud security. It is the author’s opinion that FUD is probably the biggest contributor to an enterprise’s insecurity about cloud security. The remainder of this article outlines some strategies to use to overcome objections about cloud security.

The list of strategies actually begins with an observation: The very same decision makers that struggle with this question for their businesses use cloud-based services in their personal lives and do so with some of their most critical private information — online banking is an example. Consumers believe this to be secure and that belief is not coming from them having any deep dive into the bank’s cloud design — that belief may largely be coming from the fact that the banking industry is regulated and that someone else is ensuring that everything is secure. As we look into this deeper, it will be apparent that third-party testing, certification and compliance will be a key strategy toward overcoming objections.

Many enterprises believe that their computing or communications is more secure when it remains entirely on their premises or if they build a private cloud. While it is technically feasible for enterprises to design a solution that is secure, the operational aspect of the IT and communications services over time result in security becoming increasingly lax. This degradation often comes from process engineering failures — weak passwords, password change policies that were strong when they started but succumbed to user pressure and eased up on the policies, amongst others. Enterprises in the SMB sector often do not have the budgets and the resources to ensure that security practices are being stringently followed; in fact they may not even know that this is not happening, as there is no formal audit process in place. By comparison, service providers can offer cloud services that are built around stringent security requirements including ongoing compliance audits and reports.

Service provider clouds are typically better at balancing security and usability. The easiest way to secure a private cloud is to lock it down like Fort Knox. Even that strategy can backfire if employees get frustrated and look for ways to circumvent security just so they can get access from wherever they are, including their home office, hotel room and airport lounge. The service provider architecture, on the other hand, has to be designed for a Fort Knox-level of security and access, and they are in a better position to establish points of presence wherever their customers are. Economies of scale have a big bearing on security as well; providers are able to spread the cost of the technology, process, people and systems across their entire customer base. In contrast, the enterprise is limited by its size; any extra cost must either make its way into their pricing or cut in to their profit margin — neither being a desirable outcome.

Hackers are almost always a step ahead of the enterprises in discovering and exploiting security loopholes. The typical enterprise does take the normal step of protecting the network using firewalls, intrusion detection and prevention services and similar appliances and services. However, that is only step one in securing the enterprise. It is critical that the enterprise is plugged into the world of hackers to stay current with, if not ahead of, what is happening in the hacker’s domain. If the enterprise gets disconnected from this, they will also miss notifications about new threats and how to protect against them. They may certainly think about outsourcing the Security Operations Center function of their organization but that very thought process should also set them thinking about why they would not move relevant portions of their IT and communications into the cloud with a service provider that is in fact plugged into the hacker’s ecosystem 24/7. Once again economies of scale play a pivotal role in enabling the service provider to be in a better position in staying abreast or ahead of the hackers. Service providers may use information they have learned about threats faced by a set of their customers and apply protection against such threats to their entire base of customers.

Service providers also can leverage the concept of standards to their benefit in the area of cloud security. They are plugged into the security standards ecosystem and often guide the development and evolution of these standards. As such they are early adopters of these standards. Having been involved in this effort early lets them properly budget for these costs — a typical enterprise only hears about these developments much later and that may potentially delay adoption as their IT team needs to learn about the change and then figure out how to budget for any additional costs.